๐ [Slide] The Kelihos & Severa; the "All Out" version
๐ก Newskategorie: Malware / Trojaner / Viren
๐ Quelle: blog.malwaremustdie.org
Background
The "suspected actor" in the below slide is responsible for malware distribution via RedKit exploit kit [-1-] [-2-] [-3-], Cookie Bomb [-1-] [-2-] [-3-] [-4-], Malicious Cushion Redirectors [-1-], and those all linked and lead to his botnet the Kelihos a fast flux botnet [-1-] [-2-] [-3-]. The actor is known as Petr Severa.
When I went to Botconf in December 2013, I was spending much time in my secluded hotel room (I stayed separately than others) than in conference so I can focus to this important disclosure, that our team is depending on me to reveal it well during the Short Talk chance that was generously and thankfully given for this matter. These are the materials that I looked over and over like hundred times, with thinking of which one that is needed to be shared in conference, which one that has to be shared to law enforcement only, and what information that is needed to be shared to friend-researchers.
After discussed with our MalwareMustDie team the night before, and several discussion with the important persons, fyi: at that time the Kelihos CNC in Nederlands were successfully taken down my our friend from McAfee, Mr. Christiaan Beek, and our Germany team lead by wirehack7 together with LKA was in literally raiding the CNC machines of Kelihos CNC from its data center.. It was the crazy busy and hard time for a jet-lagged-guy from Japan who got very tired from travel via Paris airport for 7hrs (stuck in AirPort for long long lines), and slept in front door of hotel all night since the door was locked when I arrived at 11pm.. I selected the slides that was shared in-->[link] that I rehearsed with Mr. Dhia Mahjoub of OpenDNS, the pair presenter.
Soon it will be three full years since the first time I decompiled our first Kelihos botnet Win32 binary, and with all due respect to great good hard working people in many security incident response entities, internet administration and law enforcement teams, nothing has been changed much in this three years, the actor is still out there receiving his monthly affiliated "fee" and living happily with still practicing his unique modus operandi to spread the badness in the internet. We still see Kelihos is distributed along with ransomware, and we still see cookie bomb codes is used to spread malware & also ransomware too.
Slide
On some data that I starred in the hotel room, these are the data collected from our operation against this botnet (excluded Dhia's OpenDNS data), there are a very important PoC or evidence as as malicious verdict to a known internet crime bandit from St. Petersburg, the "Severa". I recollect them all in this slide with adding all re-compiled and renewed comments with more supporting facts.
Our team was patiently waiting for the justification of the crime done by known identification, but as one of our member just said "I think that full disclosure after 2,5years is pretty reasonable.." (poke @Kira), this is the best team for fighting any botnet on earth..I am happy to work with them, and I think the world to know what they actually achieved and who, how and why we know the ID of the botherder that leads to the mentioned actor.
Here is the slide:
Please use the data with the right way. All of the evidence mentioned were found in the internet or dumps.
#MalwareMustDie
...